Art.45 GDPR

GDPR Art.45: Transfers on the Basis of an Adequacy Decision

What This Control Requires

A transfer of personal data to a third country or an international organisation may take place where the Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation.

In Plain Language

Adequacy decisions are the easiest path for international transfers. When the European Commission decides that a third country (or a specific sector within one) offers data protection essentially equivalent to EU standards, it issues an adequacy decision. Transfers to those destinations can flow freely without SCCs, BCRs, or any other additional safeguards. The Commission looks at the rule of law, human rights protections, data protection legislation and its enforcement, independent supervisory authorities, and international commitments before granting adequacy. These decisions are not set in stone - they get reviewed periodically and can be amended, suspended, or revoked if protection levels drop. The Schrems I and Schrems II rulings showed just how real that risk is. As of early 2026, countries with full adequacy decisions include Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (for organisations certified under the EU-US Data Privacy Framework). Always verify the current status and scope of any adequacy decision before relying on it.

How to Implement

Cross-reference your international transfer mapping against the European Commission's current list of adequacy decisions. For every transfer going to an adequate country, document which adequacy decision applies and confirm its scope covers your specific transfer. Pay close attention to scope limitations. The Canadian adequacy decision only covers commercial organisations subject to PIPEDA. The US Data Privacy Framework only covers organisations that have self-certified. If your data importer falls outside the scope, you need an alternative mechanism like SCCs - the adequacy decision will not protect you. For transfers to the United States under the Data Privacy Framework, verify that the importer is actually certified and that their certification is current. Check the DPF list maintained by the US Department of Commerce. Confirm the certification scope covers the type of data you are sending - some organisations only certify for HR data, others for commercial data, some for both. Monitor their status on an ongoing basis. Keep an eye on the adequacy decisions you depend on. The Commission reviews them at least every four years, and court challenges can invalidate them (as Schrems proved twice). Build contingency plans so you can switch to SCCs or another safeguard quickly if an adequacy decision is suspended or revoked. Being caught without a backup mechanism is a compliance failure regulators will not overlook. Record your reliance on adequacy decisions in your Records of Processing Activities and privacy notices. Your RoPA should identify which transfers are covered by adequacy, and your privacy notices need to tell data subjects about third-country transfers and the legal basis. Keep these current as adequacy decisions evolve.

Evidence Your Auditor Will Request

Register of international transfers relying on adequacy decisions with scope verification
Verification records for US Data Privacy Framework certification status (where applicable)
Records of Processing Activities identifying transfers covered by adequacy decisions
Privacy notices disclosing international transfers and applicable adequacy decisions
Contingency plans for adequacy decision revocation or suspension

Common Mistakes

Relying on an adequacy decision without verifying that the specific transfer falls within its scope
Failing to monitor the ongoing status of adequacy decisions relied upon
No contingency plan in case an adequacy decision is revoked or suspended
Transferring data to US organisations under the Data Privacy Framework without verifying their certification status
Privacy notices not disclosing international transfers or the legal mechanism relied upon

Related Controls Across Frameworks

Framework	Control ID	Relationship
ISO 27001	A.5.34	Related

Frequently Asked Questions

Which countries currently have adequacy decisions?

As of early 2026, the list includes Andorra, Argentina, Canada (commercial organisations under PIPEDA), Faroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, the United Kingdom, Uruguay, and the United States (certified organisations under the EU-US Data Privacy Framework). Check the European Commission's website for the latest, as this list does change.

Do we still need SCCs for transfers to an adequate country?

Not if the adequacy decision fully covers your transfer. That is the whole point - adequacy lets data flow without additional safeguards. But watch the scope. If the adequacy decision only covers certain sectors or types of organisation and your importer falls outside that scope, you will still need SCCs or another mechanism.

What happens if an adequacy decision is revoked?

You lose your legal basis for the transfer and need to switch to an alternative mechanism, typically SCCs, before continuing to send data. This is why having a contingency plan matters. If you already have SCCs drafted and ready to execute, you can switch over with minimal disruption. Getting caught flat-footed when an adequacy decision falls is entirely avoidable.

Track GDPR compliance in one place

AuditFront helps you manage every GDPR control, collect evidence, and stay audit-ready.

Start Free Assessment